CVE-2014-7810

Published: 07 June 2015

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

From the Ubuntu security team

It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism.

Priority

Status

Package	Release	Status
tomcat6 Launchpad, Ubuntu, Debian	Upstream	Released (6.0.41-3)




	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (6.0.45+dfsg-1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (6.0.39-1ubuntu0.1)
	Patches: Upstream: http://svn.apache.org/viewvc?view=revision&revision=1645366 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1659538
tomcat7 Launchpad, Ubuntu, Debian	Upstream	Released (7.0.61-1)




	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (7.0.61-1)
	Ubuntu 16.04 ESM (Xenial Xerus)	Not vulnerable (7.0.61-1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (7.0.52-1ubuntu0.3)
	Patches: Upstream: http://svn.apache.org/viewvc?view=revision&revision=1644019 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1645644
tomcat8 Launchpad, Ubuntu, Debian	Upstream	Released (8.0.21-2)




	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (8.0.22-2)
	Ubuntu 16.04 ESM (Xenial Xerus)	Not vulnerable (8.0.22-2)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist

References

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787010

CVE-2014-7810

From the Ubuntu security team

Medium

Status

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading